from the details-details-details dept

Late on Friday, the NY Times released the most detailed explanation to date of the PRISM system that was revealed on Thursday, claiming that nine of the biggest tech and internet companies were working with the NSA to give them "direct access" to servers. The explanation explains how both the original story was substantially true, as were the "denials," though the denials were (as predicted) a bit of doublespeak. Today, the Guardian revealed another slide from the presentation it has, which clarifies some more details.

Basically, it appears those companies all agreed to make it easier for the NSA to access data that was required to be handed over under an approved FISA Court warrant, and they appear to do this by setting up their own servers where they put that information (and just that information). From the NY Times report:

But instead of adding a back door to their servers, the companies were essentially asked to erect a locked mailbox and give the government the key, people briefed on the negotiations said. Facebook, for instance, built such a system for requesting and sharing the information, they said.

The data shared in these ways, the people said, is shared after company lawyers have reviewed the FISA request according to company practice. It is not sent automatically or in bulk, and the government does not have full access to company servers. Instead, they said, it is a more secure and efficient way to hand over the data.

This is significantly less worrisome than the original Washington Post report, which suggested full real-time access to all servers. That's not quite what has happened, according to this report. This involves cases where the companies really do need to hand over this information. We can disagree with whether or not the FISA Court should issue these warrants, but at some point there may be information that the companies do need to hand over to the government. As for the Guardian, they published the following slide:

As you can see, it notes multiple programs where they can get data. The programs on top are the ones such as the NSA servers installed at telcos to collect all traffic running through them, which have been revealed before. The program on the bottom is PRISM, which clearly states: "collection directly from the servers of these U.S. Service Providers," followed by the already known list. That certainly confirms the "direct access" claim from the original WaPo report, but it could also be true in conjunction with the NY Times report, if you look at it as the companies setting up special servers where they place information they're ordered to hand over via FISA court orders. The "denials" from the companies are also substantially true, as they mean that the NSA isn't getting direct access to all their servers, but rather the ones set up for handing over this information.

The real question should be about what information the FISA Court is approving warrants over:

FISA orders can range from inquiries about specific people to a broad sweep for intelligence, like logs of certain search terms, lawyers who work with the orders said. There were 1,856 such requests last year, an increase of 6 percent from the year before.

In one recent instance, the National Security Agency sent an agent to a tech company’s headquarters to monitor a suspect in a cyberattack, a lawyer representing the company said. The agent installed government-developed software on the company’s server and remained at the site for several weeks to download data to an agency laptop.

In other instances, the lawyer said, the agency seeks real-time transmission of data, which companies send digitally.

Note just how broad some of those searches may be. Staying around for weeks to download logs? We're not talking about narrowly focused searches here.

Of course, what's now also come out is that, despite Google and Microsoft releasing transparency reports about government requests for data, they don't include FISA requests because of the gag orders on them. It's only recently that both Google and Microsoft were able to include "range" numbers for how many national security letter requests they get. One hopes they're pushing to be transparent on FISA requests as well.

The article makes it clear that Twitter was alone among the companies in refusing to join this program. That does not mean that Twitter does not hand over data to the government when receiving a legitimate FISA order. I'm sure it does. But it does mean that they have not set up a special system to make it easy for the government to just log in and get the data requested. Some people have suggested that the government has little need for Twitter to join the program since nearly all Twitter information is public, but that's not true. There is still plenty of important information that might be hidden, including IP addresses, email addresses, location information and direct messages that the NSA would likely want. Besides, YouTube is a part of the program, and most of its data is similarly "public."

This is not, by the way, the first time that we've seen Twitter stand up and fight for a user's rights against a government request for data. Over two years ago, we pointed out that Twitter, alone among tech companies, fought back when a court ordered it to hand over user info. Twitter sought, and eventually got, permission to tell the user, and allow that user to try to fight back. It later came out that, as part of that same investigation, the government also had requested information from Google and Sonic.net, with Sonic.net fighting back and losing. It never became clear whether Google fought back.

Separately, however, Chris Soghoian has noted that an "unnamed company" fought back and lost against a FISA court order... and that, according to the PowerPoint presentation, Google "joined" PRISM just a few months later. It is possible that Google fought joining the program, and then only did so after losing in court. That said, Google's most recent denial insists that "the government does not have access to Google servers—not directly, or via a back door, or a so-called drop box." Perhaps they don't consider a special server set up for lawfully required information a "drop box," but others certainly might.

In the end, it appears that the initial Washington Post report was overblown in that it suggested direct access to all servers, rather than specific servers, set up to provide information that was required. That said, it is still true that the FISA Court appears to issue a fair number of secret orders for information from a variety of technology companies, some of them quite broad, and that many of the biggest tech companies have set up systems to make it easier to give the NSA/FBI and others access to that info -- though, they are often required by law to provide that information. The real outrage remains that all of this is happening in complete secrecy, where there is little real oversight to stop this from being abused. As we noted just a few weeks ago, the FISA Court has become a rubber stamp, rejecting no requests at all in the past two years.

Given the revelations of the past week, the public (and our representatives) need to demand much more transparency and oversight concerning these surveillance programs.

from the not-a-good-week-for-the-nsa dept

Obviously, the Verizon/NSA situation was merely a small view into just how much spying the NSA is doing on everyone. And it seems to be spurring further leaks and disclosures. The latest, from the Washington Post, is that the NSA has direct data mining capabilities into the data held by nine of the biggest internet/tech companies:

The technology companies, which participate knowingly in PRISM operations, include most of the dominant global players of Silicon Valley. They are listed on a roster that bears their logos in order of entry into the program: “Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, Apple.” PalTalk, although much smaller, has hosted significant traffic during the Arab Spring and in the ongoing Syrian civil war.

Dropbox , the cloud storage and synchronization service, is described as “coming soon.”

This program, like the constant surveillance of phone records, began in 2007, though other programs predated it. They claim that they're not collecting all data, but it's not clear that makes a real difference:

The PRISM program is not a dragnet, exactly. From inside a company’s data stream the NSA is capable of pulling out anything it likes, but under current rules the agency does not try to collect it all.

Analysts who use the system from a Web portal at Fort Meade key in “selectors,” or search terms, that are designed to produce at least 51 percent confidence in a target’s “foreignness.” That is not a very stringent test. Training materials obtained by the Post instruct new analysts to submit accidentally collected U.S. content for a quarterly report, “but it’s nothing to worry about.”

Even when the system works just as advertised, with no American singled out for targeting, the NSA routinely collects a great deal of American content.

from the don't-speak dept

Last time we wrote about Paltalk, it was an article talking about how the company had put together a decent business charging for the use of its chatting software. Apparently that business model wasn't decent enough, because the company has gone into all out patent lawsuit war. A bunch of folks have sent in various versions of the story, but basically, Paltalk has sued a bunch of the big name multiplayer online gaming companies, Activision-Blizzard, Sony, NCSoft, Turbine and Jagex. The back story is that the company bought some patents a few years back (anyone know which patents? -- a quick search doesn't turn up much) from another company. It claims that the patents cover "technologies for sharing data among many connected computers so that all users see the same digital environment." Initially, it sued Microsoft, and spent years fighting that case, until Microsoft figured it was cheaper to settle earlier this year, and handed over an undisclosed amount of cash. With that new bankroll, Paltalk has launched this new suit. While it likes to claim that the Microsoft settlement validates the patent, all it really does is show that Microsoft realized it was cheaper to settle than to fight. It would be rather useful to know which patents these are, specifically, because virtual worlds that let multiple people see the same thing have a pretty long history.